This is my review of The Hacker Playbook 3: Practical Guide to Penetration Testing by Peter Kim.
As an Amazon Associate I earn from qualifying purchases.
Updates and errata to this book can be found on the author’s GitHub.
This book covers a lot of tools, techniques, and procedures (TTPs) used by penetration testers. Coincidentally, many of these TTPs are also used by criminals. Although I do not work as a penetration tester or participate in criminal operations, I can attest to the legitimacy of the TTPs covered in this book. This is the real deal.
I have read this book three times. One of the things that really stuck out the first time I read it was that the author mentions that reading the book multiple times is beneficial. I can also attest to this, as there were several TTPs covered that I had read about previously, but at the time didn’t get exposed to on a regular basis. Re-reading this book with the context and experience I have gained since the last time I read it helped me solidify my knowledge and form some new connections.
For those who are just getting into security, one of the most common things I hear from readers is that they tend to gain the most benefit from the books after reading them for the second or third time (making sure to leave adequate time between reads). There is a lot of material thrown at you throughout this book and sometimes it takes time to absorb it all.Peter Kim – The Hacker Playbook 3: Practical Guide to Penetration Testing. Preface.
At my day job, I respond to events which involve TTPs covered in this book every day. As such, I feel that it is necessary to study offensive techniques because it makes me a more effective defender. Being familiar with the tools being used against me enables me to make much quicker determinations on an attacker’s intent and helps anticipate their next moves.
I recently saw a document mentioned on my Twitter feed Hack Back! A DIY guide to rob banks by Phineas Fisher. This paper has been published for a couple of years at this point and as far as I can tell is valid. I remember reading it initially and thinking it was an entertaining article, so I read it again.
Phineas Fisher states the following within this document:
This is sound advice. Seeing this, and remembering Peter Kim’s quote about re-reading material prompted me to read this book again. I am happy that I read it, but it will likely be the last time I read this edition. If the author releases another edition, I will definitely read it.
The previous edition of this book has a nearly identical chapter layout. The difference between editions is that they covered different tools, and how to build your own lab to practice with.
A good start to a lab to practice with might consist of:
- Windows Server configured as a domain controller
- Windows 10 machine joined to this domain
- An intentionally vulnerable VM such as Metasploitable
- A domain not running anything important.
- A free/cheap VPS or two
- A machine to attack from
- Additional machines depending on what software you intend to use, or topics you’d like to explore. This is entirely up to you.
This book is organized into ten chapters:
- Pregame – The Setup
- Before the Snap – Red Team Recon
- The Throw – Web Application Exploitation
- The Drive – Compromising the Network
- The Screen – Social Engineering
- The Onside Kick – Physical Attacks
- The Quarterback Sneak – Evading AV and Network Detection
- Special Teams – Cracking, Exploits, and Tricks
- Two-Minute Drill – From Zero to Hero
- Post Game Analysis – Reporting
My favorite chapters were
Pregame, which covered several C2 frameworks,
The Drive, which covered lateral movement, and
The Quarterback Sneak, which covered evading intrusion detection systems.
My only gripe is that I wish the sections about writing offensive code was longer.
This book is still excellent, however like other books which cover lots of tools and techniques, they have a shelf life. TTPs “expire” after a while as new tools are either built or they decay from a lack of maintenance. Detection capabilities also evolve which sometimes render certain techniques useless or greatly reduce their relevancy. Often, tools will still exist after several years, but they receive cosmetic and functional changes which no longer represent what was written about them in the past.
Conversely, there are still issues that will continue to be a problem for the foreseeable future, and the TTPs to leverage these flaws have and will remain constant for years to come.
I’d wager that at least 95% of this book is still relevant, but I do not know how relevant it will be in a few years. I still think that at least 75% of this will be mostly relevant for the next 5+ years. Luckily, the author seems to take this project seriously and releases new editions every few years. Perhaps there will be a 4th edition in the future?